Skills
skills/aradotso/devtools-skills/byterover-cli-memory-layer/Gen Agent Trust Hub

byterover-cli-memory-layer

Fail

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs users to install the ByteRover CLI by piping a remote shell script directly to the shell: curl -fsSL https://byterover.dev/install.sh | sh. This pattern is highly dangerous as it executes unverified code from an external source.
  • [REMOTE_CODE_EXECUTION]: Installation via npm install -g byterover-cli downloads and executes code from the public NPM registry.
  • [REMOTE_CODE_EXECUTION]: The brv hub install and brv connectors install commands allow for the dynamic download and execution of additional logic and integrations.
  • [CREDENTIALS_UNSAFE]: The tool manages sensitive API keys for over 20 LLM providers (e.g., Anthropic, OpenAI, Google) and stores them in a local configuration file at .brv/config.json. It also suggests the use of environment variables for secret storage.
  • [DATA_EXFILTRATION]: The brv push, brv pull, and brv vc push/pull commands transmit local project context and version history to the byterover.dev cloud service, posing a risk of sensitive data exposure.
  • [COMMAND_EXECUTION]: The ByteRover CLI includes "code exec" tools that can be invoked by the agent, potentially allowing for arbitrary command execution on the host system.
  • [DATA_EXFILTRATION]: The ability to add custom registries and external knowledge sources via brv hub registry add and brv source add creates vectors for unauthorized data transfer to untrusted endpoints.
  • [PROMPT_INJECTION]: This skill presents a significant vulnerability to indirect prompt injection.
  • Ingestion points: Untrusted data enters the agent context through local project files via brv curate and external project links via brv source add (SKILL.md).
  • Boundary markers: The instructions lack any requirement for boundary markers or delimiters to isolate untrusted content from agent instructions.
  • Capability inventory: The skill provides high-privilege capabilities including file system access, network synchronization, and arbitrary code execution (SKILL.md).
  • Sanitization: There is no documented mechanism for sanitizing or validating external content before it is processed by the LLM or executed as code.
Recommendations
  • HIGH: Downloads and executes remote code from: https://byterover.dev/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
May 17, 2026, 07:33 PM